CVE-2025-6238HIGH 8.0EPSS p21.8%

CVE-2025-6238CVE-2025-6238

Description

The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5.

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.8% · 2026-06-18T12:00:27Z
Published2025-07-04
Last modified2025-08-13

Underlying weaknesses· 1

CWE-601

References

  1. https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.8.4/labs/oauth.php
  2. https://plugins.trac.wordpress.org/changeset/3321384/ai-engine/trunk/labs/mcp.php
  3. https://plugins.trac.wordpress.org/changeset/3321384/ai-engine/trunk/labs/oauth.php
  4. https://www.wordfence.com/threat-intel/vulnerabilities/id/1edc84fd-8cb5-4899-9444-1b6ae3144917?source=cve

1

TypeTargetConfidenceTier
WeaknessURL Redirection to Untrusted Site ('Open Redirect')cwe-6010%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-5071
CVE
CVE-2026-8719
CVE
CVE-2025-11749
CVE
CVE-2025-7847
CVE
CVE-2025-58207
CVE
CVE-2025-31678
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.